The real victim in health data breaches? Patients' medical identities

Data breaches are happening everywhere these days, not just in healthcare. But the healthcare industry has its own set of problems when it comes to the aftermath of a security incident: unknown impact and the rise in medical fraud.

“It’s a rampant problem, and it’s not talked about enough,” said Chris Bowen, ClearDATA founder and chief privacy and security officer. “There are victims out there, and it can take years to clean up after the mess. They have to take a lot of time to correct that record. But where do you go to correct it?”

Synthetic identity theft

The Harvard Data Map Project tracks the flow of patient records throughout a patient’s journey. While there are obvious locations -- payer, health provider and discharge data -- there are a vast amount of other third-party vendors that may have some or all of a patient’s data.

How could a patient begin to get ahead of the issue and make sure a cybercriminal isn’t using their data at all of these locations? In the event of a breach, exposed data — even if the record is incomplete — can be patched together to make a whole synthetic record of a patient.

“Here’s a term: it’s called synthetic identity theft,” Bowen said. “It means I can use little pieces of data from all over the place to create a new identity. The hacker may not take the whole thing, but I can stitch together an identity and credit report, or a medical record of you and others, and really rip off the healthcare system.”

“People don’t need to pay for the theft,” he added. “Consider the Facebook breach of confidentials … Hackers had access to 50 to 90 million identities that they can now piece together to create new identities. It’s going to have a lasting effect.”

With breaches rising up to 3.4 million in Q3 from Q2 -- this is only going to get worse.

In fact, Bowen said that the dark web is inundated with medical data. And the cost has reduced from about $50 to $100 per record, “because there are so many records to buy.”

“Consider the massive Uber breach, which the company attempted to cover up,” said Bowen. “How many incidents are out there that aren’t reported?”

“There’s no evidence the data was misused”

One of the most common phrases used by healthcare organizations after a breach is that “there’s no evidence the data was misused.” But how can officials know that for certain?

“When you hear there’s no damage, the fact is they have no idea,” said Bowen. “Unless they can prove it with data logs or keys, if you don’t have the ability to prove it, the fact is you’ll never know and that’s why this is so serious.”

“Maybe they just don’t see the evidence, but it doesn’t mean there’s no evidence,” he added.

Hackers have an equal amount of tools to healthcare organizations -- with the addition of time to spare. Bowen explained that screen-scrapers and all of kinds of other methods can help steal the data. And “if they let the data get stolen, how do they know it’s not been misused?”

“There’s a couple of statements we see in notifications: You take your privacy and security seriously, we see no evidence, etc.,” said Suzanne Widup, senior information security professional for Verizon. “It makes you doubt, if you’re looking for evidence.”

“It takes awhile for criminal element to go around and use [the data],” she added. “With healthcare, it’s not like credit card information, and looking especially for these fraud patterns. There’s nothing like that for the type of data they’ve lost. And it probably won’t come to light anyway, until they find out they’ve been a victim.”

And even then, given the copious amount of breaches, Widup added that it’s hard to even track the data back to a single source.

“But it’s very difficult to protect your data if you don’t know where it is,” said Bowen. “What we’re finding is that data is still all over the place.”

For example, some security leaders will say the data is in the EHR. But what about the data sitting in medical devices that capture retina images? Or maybe there are old machines in the basement with old passwords and archived images. Bowen also asked, what about the data on patients just sitting on a doctor’s computer?

“Where is your data going? Victims of identity theft take years to fix their record, not to mention having to prove they didn’t subscribe to hundreds of opioid prescriptions,” said Bowen.

So it starts with prioritizing inventory. Bowen recommended doing a data inventory every quarter.

“Once it’s a priority, organizations can start to find protected health information,” said Bowen. “Critical tech first, as the most sensitive data are in them. Physical records are crucial as well, because then you can apply safeguards. There are different safeguard between records in the basement and the cloud.”

Bowen added that GDPR and other laws around the world make it even more complicated to keep a handle on data by building safeguards around it — including encryption.

“Once you find that data keep reviewing it,” he added. “When I sit with a CIO, they say there’s about nine hours of inventory, or we can do that in five hours. Three days later we finally finish. They had no idea the data was all over the place.”

While HITECH and other regulations have incentivized risk assessments, it’s not enough. To Bowen, there should be “a requirement to have your data inventory. It’s that important. You can’t do anything, from purchasing cyber insurance to protecting data, until you know where it’s at. It should be one of the key elements of cybersecurity.”

To that end, “Let’s stop having a patchwork of privacy law,” said Bowen. It’s time we catch up with Europe and do federal standard around privacy, so that we don’t have states like California driving a holistic approach — I think we’re starting to see that, but its way past its time.”

Checklist for patients

Bowen provided a checklist for patients to protect against medical fraud.

· If your purse or wallet get stolen, file a police report

· Have a clean copy of your medical record - this will help you prove your case if a thief changes it

· Review medical records at least annually - to check for accuracy

· Ask your provider what they do to protect your information

· Pay attention to those insurance benefit notices - watch for activity that you didn’t receive - call if you see any suspicious activity

· If you lose your insurance card, ask for a new one with a NEW ID number